破解过程
1;软件介绍POWERCHM
一个制作CHM的软件,可以读入PDF!从
2ddK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5M7$3E0&6i4K6u0W2j5$3!0E0i4@1f1@1i4@1t1^5i4K6S2n7i4@1f1^5i4@1u0p5i4@1u0p5i4@1f1%4i4K6W2m8i4K6R3@1i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6R3^5i4@1t1H3i4@1f1&6i4K6R3J5i4@1p5K6i4@1f1&6i4K6R3%4i4K6S2o6i4@1f1&6i4K6R3K6i4@1u0p5i4@1f1$3i4K6R3&6i4@1u0q4i4@1f1@1i4@1t1^5i4K6S2p5i4@1f1#2i4K6R3^5i4@1t1H3i4@1f1$3i4@1t1K6i4@1p5^5i4@1f1#2i4K6R3$3i4K6S2o6i4@1f1%4i4@1p5H3i4K6R3I4i4@1g2r3i4@1u0o6i4K6R3I4
2;本人才学破解,又因为这个软件为汉化版,汉化的不完全,好多字符串都不能正常显示
3;破解工具
OLLYDGB 1.10汉化版,W32DASM,FILEMON,ULtraEdit 32,Peid
4;破解过程
A;先用PEID查壳,无壳
B;用一下,发现是用KEYFILE加密的,用FILEMON察看,发现在安装文件夹里多出了一个(reg.ini),这个文件就是密码保存的地方
C;用W32DASM反编译,用OLLDGB动态调试, 发现在43962F处为关键跳转,发现密码一定要是120位,因为发现好像是CRC16算法,就没有跟了(本人没有算法基础,呵呵)
0043950B |. E8 B25F0300 call PowerCHM.0046F4C2
00439510 |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
00439514 |. 8B40 F8 mov eax,dword ptr ds:[eax-8]
00439517 |. 83F8 78 cmp eax,78
0043951A |. 0F8C D40400>jl PowerCHM.004399F4 ; 不能跳---》跳向WRONG
00439520 |. 3D 82000000 cmp eax,82
00439525 |. 0F8F C90400>jg PowerCHM.004399F4 ; 不能跳---》跳向WRONG
0043952B |. 68 B8D94B00 push PowerCHM.004BD9B8 ; ASCII "16AC3"
00439530 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
00439534 |. E8 35980300 call PowerCHM.00472D6E
00439539 |. 68 C0D94B00 push PowerCHM.004BD9C0 ; ASCII "465C8C61188ADC7FA4888C9D2CAD9CDC769B9619D578A2447181797C20350E5D6E0A236F5E30D9A981E99441D6FF7BD62D5A2D77DC7D699F021B75BC7369DAB9"
0043953E |. 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
00439542 |. C68424 3C04>mov byte ptr ss:[esp+43C],9
0043954A |. E8 1F980300 call PowerCHM.00472D6E
0043954F |. 8B0D D0094C>mov ecx,dword ptr ds:[4C09D0] ; PowerCHM.004C09E4
00439555 |. 894C24 24 mov dword ptr ss:[esp+24],ecx
00439559 |. 8D8C24 EC00>lea ecx,dword ptr ss:[esp+EC]
00439560 |. C68424 3804>mov byte ptr ss:[esp+438],0B
00439568 |. E8 937AFCFF call PowerCHM.00401000
0043956D |. 8D8C24 0C02>lea ecx,dword ptr ss:[esp+20C]
00439574 |. C68424 3804>mov byte ptr ss:[esp+438],0C
0043957C |. E8 7F7AFCFF call PowerCHM.00401000
00439581 |. 8D8C24 7C01>lea ecx,dword ptr ss:[esp+17C]
00439588 |. C68424 3804>mov byte ptr ss:[esp+438],0D
00439590 |. E8 6B7AFCFF call PowerCHM.00401000
00439595 |. 8D4C24 5C lea ecx,dword ptr ss:[esp+5C]
00439599 |. C68424 3804>mov byte ptr ss:[esp+438],0E
004395A1 |. E8 5A7AFCFF call PowerCHM.00401000
004395A6 |. 8D5424 30 lea edx,dword ptr ss:[esp+30]
004395AA |. 6A 10 push 10 ; /Arg2 = 00000010
004395AC |. 52 push edx ; |Arg1
004395AD |. 8D8C24 F400>lea ecx,dword ptr ss:[esp+F4] ; |
004395B4 |. C68424 4004>mov byte ptr ss:[esp+440],0F ; |
004395BC |. E8 BF82FCFF call PowerCHM.00401880 ; \PowerCHM.00401880
004395C1 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004395C5 |. 6A 10 push 10 ; /Arg2 = 00000010
004395C7 |. 50 push eax ; |Arg1
004395C8 |. 8D8C24 1402>lea ecx,dword ptr ss:[esp+214] ; |
004395CF |. E8 AC82FCFF call PowerCHM.00401880 ; \PowerCHM.00401880
004395D4 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004395D8 |. 6A 10 push 10 ; /Arg2 = 00000010
004395DA |. 51 push ecx ; |Arg1
004395DB |. 8D4C24 64 lea ecx,dword ptr ss:[esp+64] ; |
004395DF |. E8 9C82FCFF call PowerCHM.00401880 ; \PowerCHM.00401880
004395E4 |. 8D9424 EC00>lea edx,dword ptr ss:[esp+EC]
004395EB |. 8D8424 0C02>lea eax,dword ptr ss:[esp+20C]
004395F2 |. 52 push edx ; /Arg3
004395F3 |. 8D8C24 A002>lea ecx,dword ptr ss:[esp+2A0] ; |
004395FA |. 50 push eax ; |Arg2
004395FB |. 51 push ecx ; |Arg1
004395FC |. 8D4C24 68 lea ecx,dword ptr ss:[esp+68] ; |
00439600 |. E8 7B84FCFF call PowerCHM.00401A80 ; \PowerCHM.00401A80
00439605 |. B9 24000000 mov ecx,24
0043960A |. 8BF0 mov esi,eax
0043960C |. 8DBC24 7C01>lea edi,dword ptr ss:[esp+17C]
00439613 |. F3:A5 rep movs dword ptr es:[edi],dword >
00439615 |. 8D8C24 9C02>lea ecx,dword ptr ss:[esp+29C]
0043961C |. E8 FF79FCFF call PowerCHM.00401020
00439621 |. 8D5424 24 lea edx,dword ptr ss:[esp+24]
00439625 |. 6A 10 push 10 ; /Arg2 = 00000010
00439627 |. 52 push edx ; |Arg1
00439628 |. 8D8C24 8401>lea ecx,dword ptr ss:[esp+184] ; |
0043962F |. E8 1C83FCFF call PowerCHM.00401950 ; \PowerCHM.00401950
00439634 |. 8B4424 24 mov eax,dword ptr ss:[esp+24]
00439638 |. 8B48 F8 mov ecx,dword ptr ds:[eax-8]
0043963B |. 81E1 010000>and ecx,80000001
00439641 |. 79 05 jns short PowerCHM.00439648 ; 跳---》跳向RIGHT
00439643 |. 49 dec ecx
00439644 |. 83C9 FE or ecx,FFFFFFFE
00439647 |. 41 inc ecx
00439648 |> 83F9 01 cmp ecx,1
0043964B |. 0F85 D80000>jnz PowerCHM.00439729 ; 跳---》跳向RIGHT
00439651 |. 8D4C24 5C lea ecx,dword ptr ss:[esp+5C]
00439655 |. C68424 3804>mov byte ptr ss:[esp+438],0E
0043965D |. E8 BE79FCFF call PowerCHM.00401020
00439662 |. 8D8C24 7C01>lea ecx,dword ptr ss:[esp+17C]
00439669 |. C68424 3804>mov byte ptr ss:[esp+438],0D
00439671 |. E8 AA79FCFF call PowerCHM.00401020
00439676 |. 8D8C24 0C02>lea ecx,dword ptr ss:[esp+20C]
0043967D |. C68424 3804>mov byte ptr ss:[esp+438],0C
00439685 |. E8 9679FCFF call PowerCHM.00401020
0043968A |. 8D8C24 EC00>lea ecx,dword ptr ss:[esp+EC]
00439691 |. C68424 3804>mov byte ptr ss:[esp+438],0B
00439699 |. E8 8279FCFF call PowerCHM.00401020
0043969E |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
004396A2 |. C68424 3804>mov byte ptr ss:[esp+438],0A
004396AA |. E8 51960300 call PowerCHM.00472D00
004396AF |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
004396B3 |. C68424 3804>mov byte ptr ss:[esp+438],9
004396BB |. E8 40960300 call PowerCHM.00472D00
004396C0 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
004396C4 |. C68424 3804>mov byte ptr ss:[esp+438],6
004396CC |. E8 2F960300 call PowerCHM.00472D00
004396D1 |. 895C24 34 mov dword ptr ss:[esp+34],ebx
004396D5 |. 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
004396D9 |. C68424 3804>mov byte ptr ss:[esp+438],10
004396E1 |. E8 1A960300 call PowerCHM.00472D00
004396E6 |. 8D4C24 48 lea ecx,dword ptr ss:[esp+48]
004396EA |. C68424 3804>mov byte ptr ss:[esp+438],2
004396F2 |. E8 85F30300 call PowerCHM.00478A7C
004396F7 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004396FB |. C68424 3804>mov byte ptr ss:[esp+438],1
00439703 |. E8 F8950300 call PowerCHM.00472D00
00439708 |> 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0043970C |. C68424 3804>mov byte ptr ss:[esp+438],0
00439714 |. E8 E7950300 call PowerCHM.00472D00
00439719 |. C78424 3804>mov dword ptr ss:[esp+438],-1
00439724 |. E9 1A030000 jmp PowerCHM.00439A43
00439729 |> 8B15 D0094C>mov edx,dword ptr ds:[4C09D0] ; PowerCHM.004C09E4
0043972F |. 895424 1C mov dword ptr ss:[esp+1C],edx
00439733 |. 51 push ecx
00439734 |. 8D4424 28 lea eax,dword ptr ss:[esp+28]
00439738 |. B3 11 mov bl,11
0043973A |. 8BCC mov ecx,esp
0043973C |. 896424 2C mov dword ptr ss:[esp+2C],esp
00439740 |. 50 push eax
00439741 |. 889C24 4004>mov byte ptr ss:[esp+440],bl
00439748 |. E8 28930300 call PowerCHM.00472A75
0043974D |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14] ; |
00439751 |. 51 push ecx ; |Arg1
00439752 |. 8BCD mov ecx,ebp ; |
00439754 |. E8 17030000 call PowerCHM.00439A70 ; \PowerCHM.00439A70
00439759 |. 50 push eax
0043975A |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0043975E |. C68424 3C04>mov byte ptr ss:[esp+43C],12
00439766 |. E8 CE960300 call PowerCHM.00472E39
0043976B |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0043976F |. 889C24 3804>mov byte ptr ss:[esp+438],bl
00439776 |. E8 85950300 call PowerCHM.00472D00
0043977B |. 68 B0D94B00 push PowerCHM.004BD9B0 ; ASCII "copyno"
00439780 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00439784 |. E8 A0590300 call PowerCHM.0046F129
00439789 |. 8BF0 mov esi,eax
0043978B |. 83CF FF or edi,FFFFFFFF
0043978E |. 3BF7 cmp esi,edi
00439790 |. 0F85 A60000>jnz PowerCHM.0043983C ; 跳---注册成功!!!
D;只有爆破了,KEYFILE为reg.ini
用ULTRIEDIT32 更改原程序的以下5处,上面的是原代码,下面的是修改的
1,43951A----》不能跳---》跳向WRONG
0F8C D4040000
0F8C 00000000
2,439525----》不能跳---》跳向WRONG
0F8F C9040000
0F8F 00000000
3,439641----》跳---》跳向RIGHT
79 00439648
EB 00439648
4,43964B----》跳
0F85 D8000000
90E9 D8000000
5,439790----》跳
0F85 A6000000
90E9 A6000000
本人跟了很多次,发现43962F处为检验密码的关键CALL,并且密码必须=120位,好像必须是128位,具体算法是CRC16可具体过程始终没有搞明白,希望论坛的高手给解释一下,先谢谢了!
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
